Docker-alpine: nsenter on Alpine 3.6 won't enter namespaces for a specified PID

Created on 20 Nov 2017  路  5Comments  路  Source: gliderlabs/docker-alpine

Steps to reproduce:
1) Start container with Alpine 3.6
2) Start a container within that container.
3) "nsenter -p -i -u -m -n -t CONTAINER_PID /bin/sh"

Expected result:
A new /bin/sh session inside of container pid.

Actual result:
nsenter shows the help display again without an error.

Command I ran:

/ # nsenter -m -u -i -n -p -t 46 /bin/sh
BusyBox v1.26.2 (2017-10-04 13:37:41 GMT) multi-call binary.

Usage: nsenter [OPTIONS] [PROG [ARGS]]

    -t, --target=PID        Target process to get namespaces from
    -m, --mount[=FILE]      Enter mount namespace
    -u, --uts[=FILE]        Enter UTS namespace (hostname etc)
    -i, --ipc[=FILE]        Enter System V IPC namespace
    -n, --net[=FILE]        Enter network namespace
    -p, --pid[=FILE]        Enter pid namespace
    -U, --user[=FILE]       Enter user namespace
    -S, --setuid=UID        Set uid in entered namespace
    -G, --setgid=GID        Set gid in entered namespace
    --preserve-credentials      Don't touch uids or gids
    -r, --root[=DIR]        Set root directory
    -w, --wd[=DIR]          Set working directory
    -F, --no-fork           Don't fork before exec'ing PROG

Changing the order, omitting, or even specifying the direct paths to the namespaces doesn't yield a different result.

If I run "apk add --update util-linux" then try to run the above command, I get:
.: applet not found

Thank you

question
Source
picture JakeWarner
👍1

Most helpful comment

@lots0logs This is not an issue with alpine, but an issue with nsenter. Use -- to tell nsenter to stop trying to parse options. The following (with the -- separator and appropriate quotes) should work for you:

docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i -- sh -c "echo 'hello world'"

I believe this issue can be closed now (works for both alpine:edge and alpine:latest).

$ docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i -- sh -c "ls -lAF"
total 10564
drwxr-xr-x    1 root     root          2048 May  7 14:01 EFI/
drwxr-xr-x    1 root     root         12288 Jul 10  2018 bin/
drwxr-xr-x    1 root     root          2048 May  7 14:01 boot/
drwxr-xr-x    1 root     root          2048 Apr 18  2017 containers/
drwxr-xr-x   11 root     root          2960 May 27 23:19 dev/
drwx------    1 root     root          6144 Apr 18  2017 etc/
drwxr-xr-x    1 root     root          2048 Jul 10  2018 home/
-rwxr-xr-x    1 root     root       1884480 Jul 10  2018 init*
drwxr-xr-x    1 root     root          4096 Sep  7  2018 lib/
drwxr-xr-x    1 root     root          2048 Jul 10  2018 media/
drwxr-xr-x    1 root     root          2048 Jul 10  2018 mnt/
drwx------    1 root     root          2048 Apr 18  2017 opt/
dr-xr-xr-x  183 root     root             0 May 27 23:19 proc/
drwx------    1 root     root          2048 Jul 10  2018 root/
drwxr-xr-x    9 root     root           620 May 27 23:20 run/
drwxr-xr-x    1 root     root         12288 Jul 10  2018 sbin/
-rwxr-xr-x    1 root     root       8876696 May  7 13:59 sendtohost*
drwxr-xr-x    1 root     root          2048 Jul 10  2018 srv/
dr-xr-xr-x   13 root     root             0 May 27 23:19 sys/
drwxrwxrwt    2 root     root            40 May 27 23:20 tmp/
drwx------    1 root     root          2048 Jul 10  2018 usr/
drwxr-xr-x   11 root     root           260 May 27 23:19 var/

$ docker image ls alpine
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
alpine              latest              055936d39205        2 weeks ago         5.53MB
alpine              edge                43cffc6f84a4        2 weeks ago         5.56MB
picture subfuzion on 28 May 2019
👍4

All 5 comments

Looks like this may be the same issue referenced in: https://github.com/linuxkit/linuxkit/issues/567

JakeWarner picture JakeWarner on 20 Nov 2017

Option parsing for the -t, -S and -G options seems to be broken in BusyBox's nsenter. I've sent a patch to the mailing list: http://lists.busybox.net/pipermail/busybox/2018-May/086409.html If it's accepted upstream I'll make a pull request to the Alpine package.

euanh picture euanh on 4 May 2018

This problem is fixed as of Busybox 1.28.3r0 in Alpine Edge.

euanh picture euanh on 21 May 2018

Seems the issue remains if you try to pass arguments to the command like:

docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i sh -c echo 'hello world'
lots0logs picture lots0logs on 15 Jan 2019

@lots0logs This is not an issue with alpine, but an issue with nsenter. Use -- to tell nsenter to stop trying to parse options. The following (with the -- separator and appropriate quotes) should work for you:

docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i -- sh -c "echo 'hello world'"

I believe this issue can be closed now (works for both alpine:edge and alpine:latest).

$ docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i -- sh -c "ls -lAF"
total 10564
drwxr-xr-x    1 root     root          2048 May  7 14:01 EFI/
drwxr-xr-x    1 root     root         12288 Jul 10  2018 bin/
drwxr-xr-x    1 root     root          2048 May  7 14:01 boot/
drwxr-xr-x    1 root     root          2048 Apr 18  2017 containers/
drwxr-xr-x   11 root     root          2960 May 27 23:19 dev/
drwx------    1 root     root          6144 Apr 18  2017 etc/
drwxr-xr-x    1 root     root          2048 Jul 10  2018 home/
-rwxr-xr-x    1 root     root       1884480 Jul 10  2018 init*
drwxr-xr-x    1 root     root          4096 Sep  7  2018 lib/
drwxr-xr-x    1 root     root          2048 Jul 10  2018 media/
drwxr-xr-x    1 root     root          2048 Jul 10  2018 mnt/
drwx------    1 root     root          2048 Apr 18  2017 opt/
dr-xr-xr-x  183 root     root             0 May 27 23:19 proc/
drwx------    1 root     root          2048 Jul 10  2018 root/
drwxr-xr-x    9 root     root           620 May 27 23:20 run/
drwxr-xr-x    1 root     root         12288 Jul 10  2018 sbin/
-rwxr-xr-x    1 root     root       8876696 May  7 13:59 sendtohost*
drwxr-xr-x    1 root     root          2048 Jul 10  2018 srv/
dr-xr-xr-x   13 root     root             0 May 27 23:19 sys/
drwxrwxrwt    2 root     root            40 May 27 23:20 tmp/
drwx------    1 root     root          2048 Jul 10  2018 usr/
drwxr-xr-x   11 root     root           260 May 27 23:19 var/

$ docker image ls alpine
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
alpine              latest              055936d39205        2 weeks ago         5.53MB
alpine              edge                43cffc6f84a4        2 weeks ago         5.56MB
subfuzion picture subfuzion on 28 May 2019
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

oarmstrong picture oarmstrong  路  4Comments
sirhopcount picture sirhopcount  路  3Comments
nrvnrvn picture nrvnrvn  路  4Comments
robinmonjo picture robinmonjo  路  4Comments
javixeneize picture javixeneize  路  4Comments